From video streaming to virtual gaming, our time spent online is hitting an all-time high as people find ways to entertain themselves while being quarantined. We’ve seen loads of our favourite celebrities taking to their social media channels to showcase how they are practicing social distancing and coping with the boredom. This isn’t limited to celebrities either – LinkedIn is clogged with photos of large conference calls and tips for working from home for people who are not accustomed to this lifestyle.
Social Media has already been a large part of our lives and is going to be even larger as this continues on. While this doesn’t seem like a huge threat – when people get bored, they are more likely to make mistakes they would otherwise be more vigilant on. Leaving things in view on video streams that contain personal information, giving PII over dating apps, and finding unsecured workarounds to limit the disruption as much as possible. This not only is a threat to the people themselves, but also to the enterprises they are affiliated with.
Let’s face it, people are brands now. CXOs are not just faces of the company, they’re contributing factors to the brand. Even security professionals who traditionally have been close to the vest (and understandably so) have thousands of followers on social media – blog/vlogging, tweeting, speaking at events: they’ve created a global platform to not only accelerate the company but themselves as well.
We live in a time where celebrities are no longer just Hollywood stars and Grammy-winning musicians: heads of companies are celebs in their own right. Just look at Elon Musk: 31 million twitter followers and a verified check mark next to his name. We want to know the people behind the company name because, if we can’t support them, we can’t support the company either.
This makes them an incredibly dangerous threat vector.
We’ve even seen this recently with the Jeff Bezos hacking incident, and it’s only going to get worse from here. We want to support companies who represent our ideals, right? Companies who have foundations or have ties to charity organizations we really believe in… who in some cases manage very large amounts of money, and can also be politically inflammatory depending on the subject matter.
Let’s take an example. CEO of a large bank: married with 3 kids, ages 7-16, each with at least 3 personal devices (being conservative here.) They have a groundsperson, a few household staff, and their assistant(s), all who have some type of regular access to the property. This is only the authorized staff – tack on special projects, other family members, party guests: the vulnerability counts really start to rise, and that’s just with physical access to the property.
Then of course there is the beast that is digital access: social media, email, phone/text activity, dating apps – all of which can be used to gather the perfect information for a spear phishing attack. We offer up so much personal information online that seems innocent until it falls into the wrong hands, and if manipulated carefully even full credentials can be given unconsciously: just look at this video Jimmy Kimmel did on social engineering in 2015 to get passwords.
With the upcoming election, there is even more attention on organizations with a political affiliation. Let’s go back to the example earlier and add on to it. Let’s say a hacktivist doesn’t like the fact that the bank is supporting a certain non-profit but they’re having a trouble breaking into places the more traditional way. However, the CEO’s child is interning for the bank – and posts their entire life on Instagram. Geotags their photos, posts names of their pets and friends, photos wearing school gear etc. Suddenly, the hacktivist has an entire profile of the kid. This can go a number of ways but not many of them end well.
This is not only scary from a privacy perspective, but also from a corporate perspective as well. Depending on how the hacktivist plays it, they could catfish, gain confidential information, or even gain access if played the right way. The kid becomes collateral damage – all because of their parent’s affiliation with an organization.
It doesn’t take much: “here, check out this meme” (that’s embedded with spyware) is basically what got Bezos. If it can happen to a tech mogul of magnanimous proportions, it can definitely happen to a 16 year old.
So what can be done here? Have we lost to the teenager who has downloaded their favorite game or social media app? Or even the CXO who wants to tweet photos of their dog? Of course not. We just have to be more vigilant. Here are some quick tips that can help get you started.
- Teach your kids and executive end users basic security and privacy tips.
You don’t have to be a mechanic to know to put on a seatbelt, and the same concept applies here. Teaching them the basics will help.
- Enable MFA (preferably not SMS) on the devices and accounts that house the most personal information.
This is good practice not only for corporate but also personal. Bringing these good security hygiene tips into the home will foster better security corporately as well.
- Host 3rd party physical and digital security audits of your most notable executives.
Executives who have become part of the brand need to be included in your security strategy. If you have questions on this, check out our VIP cybersecurity services page to learn more.
We have to start including our public executives in our security methodology. People are always going to be the weakest link in a security strategy – especially when they’re notable and in the public eye. It goes beyond awareness, we have to treat them as a valuable asset that needs protecting.